FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 14 - IPsec VPN > Protecting OSPF with IPsec > OSPF over IPsec configuration

OSPF over IPsec configuration

There are several steps to the OSPF-over-IPsec configuration:

  • Configure a route-based IPsec VPN on an external interface. It will connect to a corresponding interface on the other FortiGate unit. Define the two tunnel-end addresses.
  • Configure a static route to the other FortiGate unit.
  • Configure the tunnel network as part of the OSPF network and define the virtual IPsec interface as an OSPF interface.

This section describes the configuration with only one VPN, tunnel_wan1. The other VPN is added in the section OSPF over IPsec configuration.

Configuring the IPsec VPN

A route-based VPN is required. In this chapter, preshared key authentication is shown. Certificate authentication is also possible. Both FortiGate units need this configuration.

To configure Phase 1
  1. Define the Phase 1 configuration needed to establish a secure connection with the other FortiGate unit. For more information, see Phase 1 parameters.

Enter these settings in particular:

Name Enter a name to identify the VPN tunnel, tunnel_wan1 for example. This becomes the name of the virtual IPsec interface.
Remote Gateway Select Static IP Address.
IP Address Enter the IP address of the other FortiGate unit’s public (Port 2) interface.
Local Interface Select this FortiGate unit’s public (Port 2) interface.
Mode Select Main (ID Protection).
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key. It must match the preshared key on the other FortiGate unit.
Advanced Select Advanced.
To assign the tunnel end IP addresses
  1. Go to System > Network > Interfaces, select the virtual IPsec interface that you just created on Port 2 and select Edit.
  2. In the IP and Remote IP fields, enter the following tunnel end addresses:
  FortiGate_1 FortiGate_2
IP 10.1.1.1 10.1.1.2
Remote_IP 10.1.1.2 10.1.1.1

These addresses are from a network that is not used for anything else.

To configure Phase 2
  1. Enter a name to identify this Phase 2 configuration, twan1_p2, for example.
  2. Select the name of the Phase 1 configuration that you defined in Step OSPF over IPsec configuration, tunnel_wan1 for example.

Configuring static routing

You need to define the route for traffic leaving the external interface.

  1. Go to Router > Static > Static Routes, select Create New.

For low-end FortiGate units, go to System > Network > Routing and select Create New.

  1. Enter the following information.
Destination IP/Mask Leave as 0.0.0.0 0.0.0.0.
Device Select the external interface.
Gateway Enter the IP address of the next hop router.

Configuring OSPF

This section does not attempt to explain OSPF router configuration. It focusses on the integration of the IPsec tunnel into the OSPF network. This is accomplished by assigning the tunnel as an OSPF interface, creating an OSPF route to the other FortiGate unit.

This configuration uses loopback interfaces to ease OSPF troubleshooting. The OSPF router ID is set to the loopback interface address.The loopback interface ensures the router is always up. Even though technically the router ID doesn’t have to match a valid IP address on the FortiGate unit, having an IP that matches the router ID makes troubleshooting a lot easier.

The two FortiGate units have slightly different configurations. FortiGate_1 is an AS border router that advertises its static default route. FortiGate_2 advertises its local LAN as an OSPF internal route.

Setting the router ID for each FortiGate unit to the lowest possible value is useful if you want the FortiGate units to be the designated router (DR) for their respective ASes. This is the router that broadcasts the updates for the AS.

Leaving the IP address on the OSPF interface at 0.0.0.0 indicates that all potential routes will be advertised, and it will not be limited to any specific subnet. For example if this IP address was 10.1.0.0, then only routes that match that subnet will be advertised through this interface in OSPF.

FortiGate_1 OSPF configuration

When configuring FortiGate_1 for OSPF, the loopback interface is created, and then you configure OSPF area networks and interfaces.

With the exception of creating the loopback interface, OSPF for this example can all be configured in either the web-based manager or CLI.

To create the loopback interface

A loopback interface can be configured in the CLI only. For example, if the interface will have an IP address of 10.0.0.1, you would enter:

config system interface

edit lback1

set vdom root

set ip 10.0.0.1 255.255.255.255

set type loopback

end

 

The loopback addresses and corresponding router IDs on the two FortiGate units must be different. For example, set the FortiGate 1 loopback to 10.0.0.1 and the FortiGate 2 loopback to 10.0.0.2.

To configure OSPF area, networks, and interfaces - web-based manager
  1. On FortiGate_1, go to Router > Dynamic > OSPF.
    For low end FortiGate units, you first need to enable Dynamic Routing by going to System > Admin > Settings.
  2. Enter the following information to define the router, area, and interface information.
Router ID Enter 10.0.0.1. Select Apply before entering the remaining information.
Advanced Options  
Redistribute Select the Connected and Static check boxes. Use their default metric values.
Areas Select Create New, enter the Area and Type and then select OK.
Area 0.0.0.0
Type Regular
Interfaces Enter a name for the OSPF interface, ospf_wan1 for example.
Name  
Interface Select the virtual IPsec interface, tunnel_wan1.
IP 0.0.0.0
  1. For Networks, select Create New.
  2. Enter the IP/Netmask of 10.1.1.0/255.255.255.0 and an Area of 0.0.0.0.
  3. For Networks, select Create New.
  4. Enter the IP/Netmask of 10.0.0.1/255.255.255.0 and an Area of 0.0.0.0.
  5. Select Apply.
To configure OSPF area and interfaces - CLI

Your loopback interface is 10.0.0.1, your tunnel ends are on the 10.1.1.0/24 network, and your virtual IPsec interface is named tunnel_wan1. Enter the following CLI commands:

config router ospf

set router-id 10.0.0.1

config area

edit 0.0.0.0

end

config network

edit 4

set prefix 10.1.1.0 255.255.255.0

next

edit 2

set prefix 10.0.0.1 255.255.255.255

end

config ospf-interface

edit ospf_wan1

set cost 10

set interface tunnel_wan1

set network-type point-to-point

end

config redistribute connected

set status enable

end

config redistribute static

set status enable

end

end

FortiGate_2 OSPF configuration

When configuring FortiGate_2 for OSPF, the loopback interface is created, and then you configure OSPF area networks and interfaces.

Configuring FortiGate_2 differs from FortiGate_1 in that three interfaces are defined instead of two. The third interface is the local LAN that will be advertised into OSPF.

With the exception of creating the loopback interface, OSPF for this example can all be configured in either the web-based manager or CLI.

To create the loopback interface

A loopback interface can be configured in the CLI only. For example, if the interface will have an IP address of 10.0.0.2, you would enter:

config system interface

edit lback1

set vdom root

set ip 10.0.0.2 255.255.255.255

set type loopback

end

 

The loopback addresses on the two FortiGate units must be different. For example, set the FortiGate 1 loopback to 10.0.0.1 and the FortiGate 2 loopback to 10.0.0.2.

To configure OSPF area and interfaces - web-based manager
  1. On FortiGate_2, go to Router > Dynamic > OSPF.

    For low end FortiGate units, you first need to enable Dynamic Routing by going to System > Admin > Settings.
  2. Complete the following.
Router ID 10.0.0.2
Areas Select Create New, enter the Area and Type and then select OK.
Area 0.0.0.0
Type Regular
Interfaces  
Name Enter a name for the OSPF interface, ospf_wan1 for example.
Interface Select the virtual IPsec interface, tunnel_wan1.
IP 0.0.0.0
  1. For Networks, select Create New.
  2. Enter the following information for the loopback interface:
IP/Netmask 10.0.0.2/255.255.255.255
Area 0.0.0.0
  1. For Networks, select Create New.
  2. Enter the following information for the tunnel interface:
IP/Netmask 10.1.1.0/255.255.255.255
Area 0.0.0.0
  1. For Networks, select Create New.
  2. Enter the following information for the local LAN interface:
IP/Netmask 10.31.101.0/255.255.255.255
Area 0.0.0.0
  1. Select Apply.
To configure OSPF area and interfaces - CLI

If for example, your loopback interface is 10.0.0.2, your tunnel ends are on the 10.1.1.0/24 network, your local LAN is 10.31.101.0/24, and your virtual IPsec interface is named tunnel_wan1, you would enter:

config router ospf

set router-id 10.0.0.2

config area

edit 0.0.0.0

end

config network

edit 1

set prefix 10.1.1.0 255.255.255.0

next

edit 2

set prefix 10.31.101.0 255.255.255.0

next

edit 2

set prefix 10.0.0.2 255.255.255.255

end

config ospf-interface

edit ospf_wan1

set interface tunnel_wan1

set network-type point-to-point

end

end